# Contributor: Ariadne Conill <ariadne@dereferenced.org>
# Contributor: Timo Teras <timo.teras@iki.fi>
# Maintainer: Ariadne Conill <ariadne@dereferenced.org>
pkgname=openssl
pkgver=3.1.4
_abiver=${pkgver%.*.*}
pkgrel=2
pkgdesc="Toolkit for Transport Layer Security (TLS)"
url="https://www.openssl.org/"
arch="all"
license="Apache-2.0"
replaces="openssl"
makedepends_build="perl"
makedepends_host="linux-headers"
makedepends="$makedepends_host $makedepends_build"
subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
	libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
	CVE-2023-5678.patch
	man-section.patch
	"
builddir="$srcdir/openssl-$pkgver"

# secfixes:
#   3.1.4-r1:
#     - CVE-2023-5678
#   3.1.4-r0:
#     - CVE-2023-5363
#   3.1.2-r0:
#     - CVE-2023-3817
#   3.1.1-r3:
#     - CVE-2023-3446
#   3.1.1-r2:
#     - CVE-2023-2975
#   3.1.1-r0:
#     - CVE-2023-2650
#   3.1.0-r4:
#     - CVE-2023-1255
#   3.1.0-r2:
#     - CVE-2023-0465
#   3.1.0-r1:
#     - CVE-2023-0464
#   3.0.8-r0:
#     - CVE-2022-4203
#     - CVE-2022-4304
#     - CVE-2022-4450
#     - CVE-2023-0215
#     - CVE-2023-0216
#     - CVE-2023-0217
#     - CVE-2023-0286
#     - CVE-2023-0401
#   3.0.7-r2:
#     - CVE-2022-3996
#   3.0.7-r0:
#     - CVE-2022-3786
#     - CVE-2022-3602
#   3.0.6-r0:
#     - CVE-2022-3358
#   3.0.5-r0:
#     - CVE-2022-2097
#   3.0.3-r0:
#     - CVE-2022-1343
#     - CVE-2022-1434
#     - CVE-2022-1473
#   3.0.2-r0:
#     - CVE-2022-0778
#   3.0.1-r0:
#     - CVE-2021-4044
#   1.1.1l-r0:
#     - CVE-2021-3711
#     - CVE-2021-3712
#   1.1.1k-r0:
#     - CVE-2021-3449
#     - CVE-2021-3450
#   1.1.1j-r0:
#     - CVE-2021-23841
#     - CVE-2021-23840
#     - CVE-2021-23839
#   1.1.1i-r0:
#     - CVE-2020-1971
#   1.1.1g-r0:
#     - CVE-2020-1967
#   1.1.1d-r3:
#     - CVE-2019-1551
#   1.1.1d-r1:
#     - CVE-2019-1547
#     - CVE-2019-1549
#     - CVE-2019-1563
#   1.1.1b-r1:
#     - CVE-2019-1543
#   1.1.1a-r0:
#     - CVE-2018-0734
#     - CVE-2018-0735
#   0:
#     - CVE-2022-1292
#     - CVE-2022-2068
#     - CVE-2022-2274
#     - CVE-2023-0466
#     - CVE-2023-4807

build() {
	local _target _optflags

	# openssl will prepend crosscompile always core CC et al
	CC=${CC#"$CROSS_COMPILE"}
	CXX=${CXX#"$CROSS_COMPILE"}
	CPP=${CPP#"$CROSS_COMPILE"}

	# determine target OS for openssl
	case "$CARCH" in
		aarch64*)	_target="linux-aarch64" ;;
		arm*)		_target="linux-armv4" ;;
		mips64*)	_target="linux64-mips64" ;;
		# explicit _optflags is needed to prevent automatic -mips3 addition
		mips*)		_target="linux-mips32"; _optflags="-mips32" ;;
		ppc)		_target="linux-ppc" ;;
		ppc64)		_target="linux-ppc64" ;;
		ppc64le)	_target="linux-ppc64le" ;;
		x86)		_target="linux-elf" ;;
		x86_64)		_target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;;
		s390x)		_target="linux64-s390x";;
		riscv64)	_target="linux64-riscv64";;
		*)		msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;;
	esac

	# Configure assumes --options are for it, so can't use
	# gcc's --sysroot fake this by overriding CC
	[ -n "$CBUILDROOT" ] && CC="$CC --sysroot=$CBUILDROOT"

	# when cross building do not enable threads as libatomic is not avaiable
	if [ "$CBUILD" != "$CHOST" ]; then
		case $CARCH in
			riscv64) _optflags="$_optflags no-threads";;
		esac
	fi

	perl ./Configure \
		$_target \
		--prefix=/usr \
		--libdir=lib \
		--openssldir=/etc/ssl \
		enable-ktls \
		shared \
		no-zlib \
		no-async \
		no-comp \
		no-idea \
		no-mdc2 \
		no-rc5 \
		no-ec2m \
		no-ssl3 \
		no-seed \
		no-weak-ssl-ciphers \
		$_optflags \
		$CPPFLAGS \
		$CFLAGS \
		$LDFLAGS -Wa,--noexecstack

	# dump configuration into logs
	perl configdata.pm --dump

	make
}

check() {
	# AFALG tests have a sporadic test failure, just delete the broken
	# test for now.
	rm -f test/recipes/30-test_afalg.t

	make test
}

package() {
	depends="libssl$_abiver=$pkgver-r$pkgrel libcrypto$_abiver=$pkgver-r$pkgrel"
	provides="openssl3=$pkgver-r$pkgrel"
	replaces="openssl3"

	make DESTDIR="$pkgdir" install
	# remove the script c_rehash
	rm "$pkgdir"/usr/bin/c_rehash
}

dev() {
	provides="openssl3-dev=$pkgver-r$pkgrel"
	replaces="openssl3-dev"

	default_dev
}

_libcrypto() {
	pkgdesc="Crypto library from openssl"
	replaces="libcrypto1.1"
	mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
	mv "$pkgdir"/etc "$subpkgdir"/
	for i in "$pkgdir"/usr/lib/libcrypto*; do
		mv $i "$subpkgdir"/lib/
		ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
	done
	mv "$pkgdir"/usr/lib/engines-$_abiver "$subpkgdir"/usr/lib/
	mv "$pkgdir"/usr/lib/ossl-modules "$subpkgdir"/usr/lib/
}

_libssl() {
	pkgdesc="SSL shared libraries"

	mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
	for i in "$pkgdir"/usr/lib/libssl*; do
		mv $i "$subpkgdir"/lib/
		ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
	done
}

sha512sums="
a69df4a018f57dee7d8a57c8003a6869eba11f1eaa394518976642a993780d0de3326019e92dea4c679c6c581fef568ea616ec541afc0792800359c606dffcd2  openssl-3.1.4.tar.gz
04123b1822e7faff3ff5be0ad3ef8f7d06cfeb4cc976571f30b8c6a0ad42753f5dbbc5c13fc549ac67c64958dc050ed5c8034ade96e9574bb4e44787dde387e4  CVE-2023-5678.patch
8c44e990fe8a820f649631b9f81cf28225b7516065169a7f68e2dd7c067b30df9b2c6cb88fa826afbc9fcdaf156360aabf7c498d2d9ed452968815b12b004809  man-section.patch
"
